■ Duty to facilitate shareholders’ meeting (Section 61)
          ■ Duty to facilitate directors’ meetings (Section 73)
          ■ Duty to enable shareholders to exercise their voting powers and rights [Section 2(2) & 58]
          ■ Duty to operate in the best interest of the shareholders [Section 20(6)  &  (7)  & 76(3)]
        Duties Relating to Accountability, Transparency and Disclosure
          ■ Duty to prepare financial/ annual financial statements (Section 29 & 30)
          ■ Duty to prepare a directors’ report [Section 30(3)]
          ■ Duty to issue a prospectus (Section 100)
          ■ Duty to disclose director’s remuneration information (Section 30)
          ■ Duty to disclose director’s financial Interests (Section 75)
          ■ Duty to file an annual return (Section 33) together with accompanying documentation,
         where applicable
        Other Duties and Responsibilities
          ■ Duty to operate within the framework of King IV ™
          ■ Duty to comply with all other legislation
        Directors’ duties under POPIA and PAIA
          ■ In terms of the business judgement rule, directors are required to take reasonably diligent
         steps to become informed about POPIA.
          ■ As the Responsible Party (who processes personal information), a company, or its board
         of directors, is required to appoint and register an Information Officer with the Information
         Regulator.
          ■ Usually the role of the Information Officer is, by default, assigned to the Chief Executive
         Officer, Managing Director or an equivalent officer of a company.
          ■ Notwithstanding the delegation of authority to the Information Officer or IT Manager (in
         regard to the protection of cyber security), the board retains overall responsibility over
         POPIA compliance of the Responsible Party.
          ■ The board is required to implement a ‘POPI’ programme to ensure the protection of personal
         information for their ‘Data Subjects’ (employees, clients, customers, suppliers etc).
          ■ The POPI programme should aim, inter alia, to identify risk areas, develop strategies and
         policies for POPIA, and ensure the implementation thereof within the organisation.
          ■ Cyber security and data protection policies are required to be developed and implemented,
         not only in compliance with POPIA, but in line with Principle 12 of King IV™.
          ■ Section 22 of POPIA imposes a mandatory reporting obligation on the Responsible Party –
         to report a data breach, in writing, to the Information Regulator, where one has occurred.




                              16